blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare

   Products
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESSES
 * For Teams
 * ENTERPRISE-CLASS PROTECTION, DETECTION, AND REMEDIATION
 * Endpoint Protection
 * Endpoint Detection & Response
 * Incident Response
 * Remediation for CrowdStrike®
 * ADVANCED SERVER PROTECTION
 * Endpoint Protection for Servers
 * Endpoint Detection & Response for Servers
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES PLATFORM
 * Nebula

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE TRIAL
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Save 25% on your first year of business protection now. See pricing >

Trojans


EMOTET’S BACK AND IT ISN’T WASTING ANY TIME

Posted: December 3, 2021 by Pieter Arntz
Last updated: December 14, 2021

The world's most notorious malware is back and it's growing fast. What are
researchers seeing and what does it mean?

Emotet is one of the best known, and most dangerous, malware threats of the past
several years.

On several occasions it appeared to take an early retirement, but it has always
came back. In January of this year, a global police operation dismantled
Emotet’s botnet. Law enforcement then used their control of this infrastructure
to send a “self-destruct” update to Emotet executables. Infected organizations
were given a few months grace to clean up the the neutered malware before the
remaining copies did as they’d been instructed and ate themselves in April.

However, that wasn’t the end of the story.

Last month we reported on how another notorious bit of malware, TrickBot, was
helping Emotet come back from the dead. And then yesterday, several security
researchers saw another huge spike in Emotet’s activity.


BLINKING LIGHT

The presence of Emotet in the threat landscape has had the appearance of a
blinking red light for years. Emotet started out in 2014 as an
information-stealing banking Trojan that scoured sensitive financial information
from infected systems (which is why Malwarebytes detects some components as
Spyware.Emotet). Over the years, it evolved into a global-scale distribution
infrastructure for other malware.

During this time we have seen Emotet disappear and show up again on several
occasions. In September 2019, Emotet emerged from a four month hiatus with a new
spam campaign, before going back into hiding early in 2020 and reappearing in
July of the same year. Its use then declined, with occasional spikes, before it
returned just in time for Christmas and was then dealt a massive blow by
collective law enforcement action in January this year.


RECENT SPIKES

On the December 1, 2021, our Threat Intelligence team noted a huge spike in
Emotet C2 activity.

C2 activity observed by Malwarebytes

Other researchers also noted spikes in the number of URLs being used to
distribute the malware, and the number of malware samples.



From all the reports and alerts by researchers and analysts we can see a few
interesting trends.

 * First of all, our own research shows the global distribution of Emotet has a
   clear focus on the US.


 * Looking at the malware URLs that URLhaus has associated with the latest
   Emotet campaigns, we see a lot of compromised WordPress sites.
 * Only yesterday we talked about how Emotet was being spread via malicious
   Windows App Installer packages. While this was not an entirely new method, it
   is not something we see every day.
 * The spam campaign used to spread the mails with the links leading to the App
   Installer packages was done by hijacking existing conversations, using stolen
   reply-chain emails.
 * Researchers are seeing an uptick in the number of Emotet C2 servers.


SPECULATION

From this point on the content of this post is speculation, so feel free to skip
it if you have developed your own theories. Or feel free to compare notes and
leave your remarks in the comments.

Emotet is growing a lot faster than any newcomer to the scene could do. This
seems to indicate that old relationships have been renewed, which usually means
that the persons that tied these knots in the past are still working on the
project and bringing “old friends” back in.

Given the global distribution and the different campaigns that are ongoing it’s
likely there are several different affiliates at work. And looking at their
methods we can tell that these are not some “fresh out of their mother’s
basement script kiddies” either. They are using sophisticated methods and
abusing vulnerabilities that haven’t been patched yet by quite a lot of
organizations. For example, some Microsoft Exchange vulnerabilities will allow
them to hijack existing email threads, which gives the spam messages a higher
credibility.

I checked the hosting companies for the WordPress sites, expecting to find a lot
of GoDaddy domains that might have been compromised while their credentials were
for sale. But I found a lot of different hosting companies, which makes
WordPress the common denominator. It’s likely therefore that the attackers are
exploiting vulnerable versions of WordPress plugins like OptinMonster, WP
Fastest Cache, and WooCommerce Dynamic Pricing and Discounts, all of which were
recently patched. (Although there are probably others that we do not know about
yet too.)


HARD FACT

Emotet is back! For how long is hard to predict, but they don’t behave as if
they have any plans to retire again soon.

Stay safe, everyone!


RELATED

TrickBot helps Emotet come back from the deadNovember 16, 2021In "Threat
Intelligence"

New Emotet delivery method spotted during downward detection trendOctober 28,
2020In "Malwarebytes news"

Emotet on the rise with heavy spam campaignSeptember 21, 2018In "Cybercrime"

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Ransomware


EMOTET BEING SPREAD VIA MALICIOUS WINDOWS APP INSTALLER PACKAGES

December 2, 2021 - Emotet is using a new attack vector, which makes Microsoft
look bad. How does malware end up on Microsoft's Azure cloud service and get
distributed to victims from there?

CONTINUE READING0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four
languages. Smells of rich mahogany and leather-bound books.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2021 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.